Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how Celovarix (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit this website and when you contact us about our online educational content for bead necklace weaving and handmade jewelry creation.

Data Controller: Celovarix. Registered address: Výškovická 3085/2, Zábřeh, 700 30 Ostrava, Czechia. Contact email: [email protected].

Effective date: March 18, 2026. If we make material changes, we will update the “Last Updated” date and provide notice as described in Section 17.

2. Personal Data We Collect

We collect personal data that you choose to provide, as well as limited technical information necessary to operate and secure the site. The categories below describe what we may collect, depending on how you interact with the website.

• Identity and contact data: name, email address, and (if you choose to share it) a phone number in a message.
• Form content: the content you submit in a registration request, contact request, or message, including any project details you include.
• Technical data: IP address, browser type and version, device and operating system, language settings, and approximate location inferred from IP (city/region level).
• Usage data: pages viewed, time spent on pages, referrer page, clicks and navigation paths, and basic conversion events (for example, successful form submissions).
• Cookies and identifiers: cookie identifiers and preference signals as described in Section 4 and in our Cookie Policy.

We do not intentionally collect special-category personal data (such as health information, religious beliefs, political opinions), financial account details, payment card numbers, or government identification numbers through this website. Please do not include sensitive information in free-text fields.

3. Why We Process Personal Data & Legal Basis (GDPR Art. 6)

We process personal data only when we have a lawful basis under the GDPR and applicable local law. The main purposes and legal bases are:

• Responding to registration requests and inquiries: to send requested information and reply to messages. Legal basis: GDPR Art. 6(1)(b) (steps at your request prior to entering into a contract) and Art. 6(1)(a) (consent) where you provide explicit consent via the form.
• Site analytics (if enabled with consent): to understand how visitors use the site and improve content structure and usability. Legal basis: GDPR Art. 6(1)(a) (consent).
• Marketing and remarketing (if enabled with consent): to measure advertising performance and show relevant offers. Legal basis: GDPR Art. 6(1)(a) (consent).
• Security, fraud prevention, and abuse detection: to protect the website and users against malicious activity. Legal basis: GDPR Art. 6(1)(f) (legitimate interests).
• Legal and compliance obligations: to comply with applicable laws and respond to lawful requests. Legal basis: GDPR Art. 6(1)(c) (legal obligation).

Automated decision-making (GDPR Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you.

4. Cookies & Tracking

We use cookies and similar technologies to operate the website, remember your preferences, and (if you consent) measure performance and advertising effectiveness. Cookie categories on this site match our cookie banner and preference panel.

Essential cookies (always active)

Essential cookies are required for the site to function. They support core features such as session continuity and saving your cookie preference. Examples include _site_session and cookie_consent. Retention ranges from session to up to 12 months depending on the cookie.

Analytics cookies (consent required)

If you consent to analytics cookies, we may use Google Analytics 4 (GA4) with IP anonymization (where applicable) to understand how the site is used. Examples include _ga and _ga_XXXXXXXXXX. Analytics data retention is typically set to 14 months.

Marketing cookies (consent required)

If you consent to marketing cookies, we may use advertising technologies such as Google Ads and the Meta Pixel for conversion attribution, remarketing, and audience creation. Examples include _gcl_au, _fbp, and _fbc, generally retained for around 90 days depending on provider settings.

Beyond cookies, some tracking may occur through pixel tags and similar scripts. Where used, analytics and marketing tools activate only after you give consent through the cookie preference panel. If you later withdraw consent, we will stop activating those tools and attempt to remove related cookies where feasible.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Marketing and analytics cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Consent is recorded in the cookie_consent browser cookie (typically 12 months).

You may withdraw consent at any time via “Manage cookie preferences” in the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.

6. Sharing With Advertising & Service Partners

We may share limited data with service providers and advertising partners to operate the site and, where you consent, to measure and improve marketing performance. We do not sell personal data.

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): may receive cookie IDs, usage data, and conversion events. Privacy information: https://policies.google.com/privacy.
• Meta Platforms (Meta Pixel, Custom/Lookalike Audiences, Conversion API where used): may receive page view events, conversions, and identifiers (which may include hashed data where applicable). Privacy information: https://www.facebook.com/privacy/policy.
• Cloudflare (CDN and security): may process IP addresses and device signals to provide security and performance services. Privacy information: https://www.cloudflare.com/privacypolicy/.

We do not permit these providers to use site data for their own independent commercial purposes. They process personal data on our instructions or as separate controllers depending on the tool and configuration.

7. International Transfers

Some partners and infrastructure providers may process personal data outside the EEA/UK, including in the United States. Where transfers occur, we use appropriate safeguards such as:

• EU–US Data Privacy Framework (DPF) (primary safeguard where available since July 2023), including the UK Extension and Swiss–US DPF where applicable.
• Standard Contractual Clauses (EU 2021/914) as a fallback.
• UK International Data Transfer Addendum/Agreement (IDTA) as a fallback for UK transfers.

8. Data Retention

We keep personal data only as long as necessary for the purposes described in this Privacy Policy:

• Contact and registration submissions: up to 2 years from the last interaction to handle follow-ups and support.
• Analytics data: typically 14 months (tool configuration).
• Marketing cookies: for the cookie lifetime defined by the provider (often 90 days) unless deleted earlier.
• Email correspondence: for the duration of the relationship plus up to 1 year.
• Server/security logs: typically 90 days unless needed longer for incident investigation.
• Cookie consent record: up to 3 years for audit and compliance purposes.
• Legal and tax: where required by law, typically 6–10 years for certain records.

9. Your Rights (GDPR & UK GDPR)

Depending on your location, you may have the following rights:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise your rights, contact us at [email protected]. We typically respond within 30 days. For complex requests, we may extend the response time by up to 60 additional days as permitted by law, and we will inform you if an extension is needed.

Supervisory authority references: EU guidance is available via the EDPB (https://edpb.europa.eu). In the UK, the ICO (https://ico.org.uk). Other examples include Germany’s BfDI (https://www.bfdi.bund.de), France’s CNIL (https://www.cnil.fr), Poland’s UODO (https://uodo.gov.pl), and Spain’s AEPD (https://www.aepd.es).

10. Children

This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own handling of browser signals and privacy controls.

12. Data Deletion Requests

You may request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may ask for additional information to verify your identity before completing the request. We aim to complete deletion within 30 days, except where retention is required by law or necessary to establish, exercise, or defend legal claims.

13. Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, reorganization, or insolvency, personal data may be transferred as part of that transaction. We will provide a notice on the site if such a transfer materially changes how personal data is used.

14. California (CCPA / CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act (as amended by the CPRA). In the past 12 months, we may have collected:

• Identifiers: name, email address, IP address, cookie IDs.
• Internet or network activity: browsing and interaction data on our site.
• Inferences: interests or preferences derived from site usage (where marketing/analytics cookies are enabled with consent).

We disclose these categories to service providers and advertising partners for analytics and advertising measurement. We do not sell personal information as defined by the CCPA. We do share data for cross-context behavioral advertising when marketing cookies are enabled; California residents may opt out via our cookie preferences panel.

California rights may include the right to know, delete, correct, and opt out of sale/sharing, as well as the right to non-discrimination. To submit a request, email [email protected] with the subject line “California Privacy Request”. We will verify your identity as required by law. Authorized agents may submit requests with written proof of authorization.

15. Virginia (VCDPA)

If you are a Virginia resident, you may have the right to access, correct, delete, and obtain a copy of your personal data, and to opt out of targeted advertising. To submit a request, email [email protected] with the subject line “Virginia Privacy Request”.

We do not sell personal data or engage in profiling that produces legal or similarly significant effects. If we refuse to act on your request, you may appeal by emailing with the subject line “Appeal of Refusal — Privacy Request”. We will respond within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to the website, tools we use, or legal requirements. If changes are material, we will announce them via a notice on the homepage at least 14 days before the updated policy takes effect, where required.

18. Contact

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact:

Celovarix
Výškovická 3085/2
Zábřeh, 700 30 Ostrava, Czechia
Email: [email protected]